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[57] ABSTRACT 

Methods, signals, devices, and systems are provided for 
secure access to a network from an external client. Requests 
for access to confidential data may be redirected from a 
target server to a border server, after which a secure sockets 
layer connection between the border server and the external 
client carries user authentication information. After the user 
is authenticated to the network, requests may be redirected 
back to the original target server. Web pages sent from the 
target server to the external client are scanned for non-secure 
URLs such as those containing "http://" and modified to 
make them secure. The target server and the border server 
utilize various combinations of secure and non-secure 
caches. Although tunneling may be used, the extensive 
configuration management burdens imposed by virtual pri- 
vate networks are not required, 

30 Claims, 4 Drawing Sheets 
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SECURE INTRANET ACCESS ID and/or password; Novell/NetWare Directory Service 

(NDS) and user access controls; Windows NT Domain 

FIELD OF THE INVENTION directory; Reverse Proxy/Virtual Hosting; a proxy server 

with HTTP caching; use of a proxy server by configuring 

The present invention relates to computer network $ client so f tware to connect through the proxy server to 

security, and more particularly to the task of providing a user prevent the client from being connected directly to the 

who is presently at a client machine outside the perimeter of Internet; SSL encryption; an entry manager which serves as 

a secure network with convenient, efficient, and secure a single point of network entry for all users; a Trusted 

access to data stored on a target server which is located Sendmail Proxy, in the context of sensitivity labels and 

within the secure network. privileges, including a small, trusted program which acts as 

a communication path between an inside compartment that 

TECHNICAL BACKGROUND OF THE performs privileged internal operations and delivers local 

INVENTION messages and an outside compartment that collects and send 

Dislributed computing systems are becoming increasingly messa g cs without privilege; a secured https proxy which 

useful and prevalent. Distributed computers are now con- „ "PP^ently does SSL tunneling logging, and reacting to 

nected by local area networks, wide area networks, and f wnts > software which apparently allows use of https URLs 

networks of networks, such as the Internet. Many such £y way of an SSL connection with a program that wraps 

networks are secured with a security perimeter which is https calls to http; a protocol stream or content processor 

defined by firewall software, routing limitations, encryption, wmch how lo convert something involving an URL 

virtual private networks, and/or other means. Machines m int ° ' 'Pn>pneUiy content confer which knows its content 

within the security perimeter are given ready access to data 1,181 conle , nt s ^ for "IT^i™ 5 ' ^ S°P her > and 

stored in the secure network (possibly subject to user and oth f pr ° l ^ s; redlrectIon of HTTP requests in connection 

group permissions, access control lists, and the like), while wl ' h an HTTP P™T, superuser privileges; and object rights 

machines outside the perimeter are substantially or entirely a " d property rights which apply to properties of an NDS 

j- oA Q ™oo object, as well as distribution of directory information across 

uenieu access. 25 |jj ^ k th h I t* 

With the growth of such secure networks and their infor- „ _ S L p . ' . , „ . 

f . t a* ... References which mention or discuss these and possibly 

mation content, there is an urgent need to support secure . A / * 

n ^ooo u„ ~„iu'^t>A ™«. 0 „!L tUo. T^re w ; n other tools and techniques are identified and discussed 

access by authorized users even when those users log in ? . „ _ . , 

from a client machine outside the network security perim- ' elatlve , to ^ * T f ent fl ,nv f nUon ,n a ,f etl,1 ° n f° r 

eter. A wide variety of took and techniques relating to 30 Examining Procedure filed concurrency w.th the present 

, , . i * • _j> *j ti«. application. To the extent that the Petition describes the 

networks and/or security are known, at least individually t y \ . . , t j « . . . . 

^a i~ u.o* c - „Ji~„* ;„^„a:„„. t ^uirr,rl technical background of the invention as opposed to the 

and to at least some extent, including: computer network . ** * JU 

architectures including at least transport and session layers, invenUon itself, the text of the Petition is incorporated herein 

sockets, clients, and servers; hyperlinks and uniform/ b * * B 7^ ^corporation by reference does not 

universal resource locators (URLs); communications links 35 ^ that u the cl * imed mven 100 ™ s P^usly known, 

such as Internet connections and LAN connections; proxy ^though a wide variety of tools and techniques relating 

servers for HTTP and some other protocols; internetwork- to networks and /° r secuntv known, it has not previously 

ing; Kerberos authentication; authentication through certifi- beenknown how to combine them to provide clients outside 

cates exchanged during an SSL handshake; tying certificates a «?*re network perimeter with sufficiently convenient, 

to access control lists so that users are identified in certifi- 40 efficient > and secure access t0 Web P a g es slored on servers 

cates presented during the SSL handshake instead of being Wlthin securc network. 

identified by an IP address, DNS name, or usernarrie and For example, some previous approaches require that the 

password; multiple instances of a server on the same user's name and/or password be sent across a network 

machine in order to serve both insecure and secure docu- communications link in plain text. Other approaches use 

ments; using a single password to log into an entire network 45 only a weak form of encryption, such as uuencoding, to 

rather than logging into individual servers; proxy servers as protect the authentication information. In both cases, the 

an example of servers which require user authentication; a authentication information is quite vulnerable to theft and 

secure sockets layer protocol manifestation in URLs, includ- misuse. 

ing protocol identifiers "http://" and "https://"; the use of a As another example, some previous approaches utilized 
specific server port for network communication; various 50 strong encryption but required that special software be 
definitions of VPNs (virtual private networks); "route filter- previously installed on both the client machine which is 
ing" which controls route propagation; Point-to-Point Tun- seeking access and on the server machine which holds the 
neling Protocol (PPTP) and Layer 2 Tunneling Protocol data sought by the client. Such approaches are taken by 
(L2TP); use of encryption technologies to provide the seg- many virtual private networks, as well as by individual 
mentation and virtualization required for VPN connectivity 55 machines configured with public key/private key encryption 
deployed in almost any layer of the protocol stack; transport software such as PGP software. These approaches protect 
or application layer VPNs; basic VPN requirements such as user authentication information and/or the data which is 
user authentication, address management, data encryption, transmitted after a user is authenticated, but they are not 
key management, and multiprotocol support; tunneling by sufficiently convenient and efficient, 
packet encapsulation, packet transmission, and packet unen- 60 In particular, virtual private networks require significant 
capsulation; Lightweight Directory Access Protocol; a split administrative effort and vigilant attention to details in order 
proxy system for a protected computer network; translation to avoid problems arising from incorrect or inconsistent 
between transport layer protocols; translation between IP configurations. Moreover, widely used Web browsers such 
and non-IP protocols; a proxy server within a network which as those available from Netscape and Microsoft do not 
receives a request for a protected Web resource from a 65 normally include full support for either virtual private net- 
browser outside the network and requires authentication of working or application-level encryption software such as 
the browser to the proxy using some combination of a user PGP software. 
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Accordingly, it would be an advancement in the art to 
improve the tools and techniques that are available to 
provide a user who is presently at a client outside the 
perimeter of a secure network with convenient, efficient, and 
secure access to data stored on a server located within the 5 
secure network. 

Such improvements to secure network access are dis- 
closed and claimed herein. 

BRIEF SUMMARY OF THE INVENTION 10 

In one embodiment, the present invention provides a 
distributed computing system which allows secure external 
access to a secure network such as a secure intranet. The 
system includes a target server within the secure network; a 
border server within the secure network; a client outside the 35 
secure network; a user authentication system located at least 
partially within the secure network; and a uniform resource 
locator transformer. 

The border server is connectable to the target server by a 
first communications link, such as an intranet or Ethernet 
link. The client is connectable to the border server by a 
second communications link, such as a TCP/IP link. The 
client and the border server are configured to support secure 
sockets layer communication over the second communica- 
tions link using SSL or similar software. 25 

The secure network is configured with authentication 
software and supporting data to allow direct access to the 
target server by a user only after the user is authenticated by 
the user authentication system. Typically, the user could 30 
readily log onto the network from an internal client at work, 
and the security questions addressed by the invention arise 
because the user wishes to log on through an external client 
at home or in the field rather than an internal one at work. 

The uniform resource locator (URL) transformer modifies 35 
non-secure uniform resource locators in data being sent from 
the target server to the client by replacing them with 
corresponding secure URLs to promote continued use of 
secure sockets layer communication. The URL transformer 
is an "SSL-izer". For instance, the URL transformer may 40 
replace instances of "http" which refer to locations inside the 
secure network 100 by corresponding instances of "https" 
which refer to the same locations. The modifications to the 
data promote continued use of a secure connection such as 
an SSL connection. An URL transformer may be located on 45 
the border server, on the target server, or both. If the URL 
transformer is located on the target server, the system may 
include tunneling software for tunneling secure data (which 
was transformed into secure form at the target server) 
between the client and the target server through the border 50 
server. 

The border server and/or target server may include one or 
more data caches. For instance, in one configuration the 
border server has a cache that holds data from the target 
server which contains non-secure URLs, and the URL 55 
transformer introduces secure URLs on the fly without 
requiring that the transformed data also be cached on the 
border server. In another configuration, a border server 
cache includes a non-secure data cache for internal clients 
and a secure data cache for external clients. The non-secure 60 
data cache holds data that contains non-secure URLs, and 
the secure data cache holds data that does not contain any 
non-secure URLs. In yet another configuration, the border 
server cache is simply free of data that contains non-secure 
URLs. 65 

In short, systems according to the invention use novel 
URL transformation and more familiar mechanisms such as 
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HTTP redirection and SSL software (in novel ways) to 
provide secure authentication of a user from an external 
client and to provide secure transmission of confidential data 
between the target server and the external client. 

By transforming non-secure URLs into secure URLs, the 
invention forces continued use of secure communications 
despite the inherent security problems caused by the lack of 
state information in HTTP. HTTP servers and browsers do 
not ordinarily "remember" security requirements from one 
Web page transmission to the next without some assistance. 
Accordingly, the present invention forces use of HTTPS or 
a similar secure connection each time the user follows an 
URL to confidential data. In addition, the invention provides 
security without requiring the installation of new client or 
target server software. Other features and advantages of the 
invention, and embodiments of the invention in methods, 
storage media, and signals, will all become more fully 
apparent through the following description. 

BRIEF DESCRIPTION OF THE DRAWINGS 

To illustrate the manner in which the advantages and 
features of the invention are obtained, a more particular 
description of the invention will be given with reference to 
the attached drawings. These drawings only illustrate 
selected aspects of the invention and thus do not limit the 
invention's scope. In the drawings: 

FIG. 1 is a diagram illustrating a secure network, a client 
outside the network, and several aspects of the present 
invention which allow secure communication between the 
client and the network. 

FIG. 2 is a flowchart illustrating several methods of the 
present invention. 

FIG. 3 is a diagram further illustrating one embodiment of 
the client and secure network shown in FIG. 1. 

FIG. 4 is a diagram further illustrating another embodi- 
ment of the client and secure network shown in FIG. 1. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 

The present invention relates to methods, systems, 
signals, and devices for providing a user located outside a 
secure network with convenient, efficient, and secure access 
to data stored within the network. In particular, the invention 
provides and uses novel modifications to uniform resource 
locators (sometimes called "universal resource locators" or 
"URLs") to protect user authentication information and to 
protect data such as intranet Web pages which are sent to the 
user from within the secure network. Various components of 
the invention and its environment are discussed below. 
Network and Computer Architecture 

One of the many secure computer networks suited for use 
with the present invention is indicated at 100 in FIG. 1. The 
secure network 100 has a security perimeter 102 which is 
defined by firewall software, routing limitations, encryption 
and/or other means familiar to those of skill in the art. 
Authorized users can log into particular servers and/or to the 
network as a whole from clients within the security perim- 
eter and access data of the network 100 subject only to 
permissions, database locks, and the like, whereas attempts 
by the same authorized users to access the same data from 
outside the perimeter 102 are generally not allowed (at least, 
not without the invention or similar functionality). 

A wide variety of secure networks 100 may be configured 
according to the invention, including both individual com- 
puter networks and larger networks which are aggregations 
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of smaller networks. For example, suitable computer net- 
works 100 include local area networks, wide area networks, 
and/or portions of the Internet such as a private Internet, a 
secure Internet, a value-added network, or a virtual private 
network. The secure network 100 may also include or 
consist of a secure intranet, which is a secure network that 
employs TCP/IP and/or HTTP protocols internally. 

In one embodiment, the secure network 100 includes 
Novell NetWare® network operating system software 
(NETWARE is a registered trademark of Novell, Inc.). In 
alternative embodiments, the secure network 100 includes 
NetWare Connect Services, VINES, Windows NT, Windows 
95, Windows 98, Windows 2000, LAN Manager, or LAN- 
tastic network operating system software and/or an imple- 
mentation of a distributed hierarchical partitioned object 
database according to the X.500 protocol such as Novell 
Directory Services or Lightweight Directory Access Proto- 
col (LDAP) directory services (VINES is a trademark of 
Banyan Systems; NT, WINDOWS 95, WINDOWS 2000, 
and LAN MANAGER are trademarks of Microsoft Corpo- 
ration; LANTASTIC is a trademark of Artisoft). The secure 
network 100 may be connectable to other networks, includ- 
ing other LANs or portions of the Internet or an intranet, 
through a gateway or similar mechanism. 

The secure network 100 includes one or more file or 
object or Web servers such as a target server 104. The secure 
network 100 also includes at least one border server 106. 
The target server 104 and the border server 106 will often 
run on separate machines, but they may be merely separate 
processes which share one machine. 

In the illustrated configuration, the border server 106 
includes an URL transformer 108 and one or more caches 
110, As discussed in greater detail below, the URL trans- 
former 108 modifies uniform resource locators (URLs) to 
protect the confidentiality of data sent to a user outside the 
secure network 100. The caches 110 are also discussed 
below. 

The secure network 100 may include additional servers 
and zero or more internal clients. The servers and the 
internal clients (if any) within the secure network 100 are 
connected by network signal lines to permit communications 
links between them in the form of network connections. In 
addition to their functionality as described herein, one or 
more of the servers 104, 106 may also be configured by 
those of skill in the art in a wide variety of ways to operate 
as Internet servers, as intranet servers, as proxy servers, as 
directory service providers or name servers, as software 
component or other object servers, or as a combination 
thereof. A given computer may function both as an internal 
client and as a server; this may occur, for instance, in 
peer-to-peer networks or on computers running Microsoft 
Windows NT or Windows 2000 software. The servers 104, 
106 may be uniprocessor or multiprocessor machines. The 
servers 104, 106 and internal clients (if any) each include an 
addressable storage medium such as random access memory 
and/or a nonvolatile storage medium such as a magnetic or 
optical disk. 

Suitable network 100 internal clients include, without 
limitation, personal computers, laptops, workstations, dis- 
connectable mobile computers, mainframes, information 
appliances, personal digital assistants, and other handheld 
and/or embedded processing systems. The signal lines 
which support communications links to the servers 104, 106 
may include twisted pair, coaxial, or optical fiber cables, 
telephone lines, satellites, microwave relays, modulated AC 
power lines, and other data transmission "wires" known to 
those of skill in the art. Signals according to the invention 



11,900 

6 

may be embodied in such "wires" and/or in the addressable 
storage media (volatile and/or nonvolatile). In addition to 
the servers 104, 106 and any internal client computers, the 
secure network 100 may include other equipment such as 

S printers, plotters, and/or disk arrays. Although particular 
individual and network computer systems and components 
are shown, those of skill in the art will appreciate that the 
present invention also works with a variety of other net- 
works and computers. 

10 One or more of the servers 104, 106 and internal clients 
may be capable of using floppy drives, tape drives, optical 
drives or other means to read a storage medium. A suitable 
storage medium includes a magnetic, optical, or other 
computer-readable storage device having a specific physical 

15 substrate configuration. Suitable storage devices include 
floppy disks, hard disks, tape, CD-ROMs, PROMs, RAM 
and other computer system storage devices. The substrate 
configuration represents data and instructions which cause 
the computer system to operate in a specific and predefined 

20 manner as described herein. Thus, the medium tangibly 
embodies a program, functions, and/or instructions that are 
executable by the servers 104, 106 and/or clients to perform 
secure network access steps of the present invention sub- 
stantially as described herein, 

25 The illustrated novel configurations also include an exter- 
nal client 112 which resides (at least initially) outside the 
security perimeter 102. The external client 112 may be a 
single workstation, for instance, or another machine of the 
types discussed above in reference to internal clients. 

30 Indeed, internal clients and external clients may differ 
merely in physical location and in the fact that internal 
clients have ready access to data stored on the target server 
104 without the present invention while external clients gain 
access through the invention. The external client 112 may 

35 also be a server which provides secure access between the 
secure network 100 and one or more secondary clients 114 
on a network 116 which is served by and/or accessed 
through the client 112. 
Operation 

40 With continued reference to FIG. 1 and with reference to 
FIG. 2 as well, the invention operates generally in the 
following manner. During a requesting step 120, the external 
client 112 requests access to data which is stored on the 
target server 104. From the perspective of the target server 

45 104, this involves receiving a request during a step 200. 
By checking the IP address from which the request was 
made, communicating with the firewall software, or other 
familiar means, the target server 104 determines that the 
request came from outside the security parameter 102. 

so Accordingly, the target server 104 does not simply provide 
the requested data. Of course, even if the request came from 
inside the security parameter 102, the target server would 
generally check user permissions against access control lists 
associated with the data, or take other steps to make sure the 

55 requesting user is entitled to access the requested data before 
providing that data. User permissions, access control lists, 
labels, and similar security controls which have a granularity 
smaller than the security perimeter 102 may continue to be 
used in combination with the security constraints described 

60 herein. 

In one embodiment, a redirector on the border server 106 
redirects the request from the client 112 to the border server 
106 during a step 122. The border server 106 is advertised 
as the target server 104. In practice, the border server 106 
65 will often be on a separate machine than the target server 
104, but those of skill in the art will appreciate that the target 
server 104 and the border server 106 may also run on the 
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same machine. The redirection may be accomplished using 
redirection capabilities which are part of the HTTP protocol. 
These redirection capabilities are conventionally used to 
automatically redirect Web browsers when a Web site has 
moved, that is, when the URL for the Web site has changed. 
In the context of the present convention, the Web site for 
which access is sought has not moved, in that the desired 
data still resides on the target server 104. Instead, HTTP 
redirection provides a convenient and efficient tool for 
sending requests from external clients to the border server 
106 to maintain security as described herein. 

For example, assume that the target server 104 is identi- 
fied by the URL "http://www.Novell.com". The redirection 
step 122 might return the following URL to the external 
client 112: 

https://BorderManager:443?"http://www.Novell.com" 

(for authentication), or it might return the URL: 

https://BorderManager:443?"hups;/Avww.Novel1.com:443" 

(authentication and force through the SSL-izer). Several 
things are worth noting in such a redirection URL signal 

First, the redirection signal seeks to change the protocol 
from HTTP to HTTPS. As those of skill in the art will 
recognize, the HTTPS protocol uses secure sockets layer 
communication. A familiar embodiment of secure sockets 
layer communication is provided by SSL software operating 
according to U.S. Pat. No. 5,825,890 assigned to Netscape 
Communications Corporation. However, as used herein the 
term "secure sockets layer communication" is not limited to 
SSL connections but instead includes any form of network 
communication which utilizes encryption in TCP/IP sockets 
and which is widely available in Web browsers and the 
servers with which those browsers communicate. 

Second, the redirection signal refers to the border server 
106 as "BorderManager" in deference to the BorderManager 
product line from Novell, Inc. (BorderManager is a mark of 
Novell, Inc.). Those of skill in the art will understand that the 
border server 106 need not be a Novell BorderManager 
server, but need merely operate as claimed herein. 

Third, the redirection signal refers to port 443 of the 
border server 106. Those of skill in the art will appreciate 
that other ports may also be used, through a port override, 
for instance. Moreover, redirection need not utilize a dedi- 
cated port; it is simply convenient in many cases to do so. 

Fourth, in its most general form, the redirection signal 
simply includes a delimited non-secure URL adjoined to a 
secure URL. The non-secure URL http://www.Novell.com 
identifies the target server 104, while the secure URL 
https://BorderManager identifies the border server 106. To 
conform with HTTP syntax, the non-secure URL is delim- 
ited in the example redirection signal by double quotes; 
other delimiters may be used with other protocols. The 
non-secure URL is non-secure because it does not require 
use of a secure connection such as a secure sockets layer or 
SSL link; the secure URL is secure because it does require 
such a secure connection. 

Fifth, those of skill in the art will appreciate that directory 
path names and filenames may be appended to these 
examples to identify specific Web pages or other protected 
resources. For instance, the original request may have been 
for the web page which is located at "http:// 
www.Novell.com/~hashem/foo_design. htm". 

Sixth, those of skill in the art will also appreciate that FTP 
files, gopher resources, and other data on the target server 
104 may be handled in a similar manner. 
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Finally, those of skill in the art will appreciate that a wide 
variety of signal field orderings, data sizes, and data 
encodings, and other variations are possible. The inventive 
signals may also be embodied in a system in various media. 

5 For instance, they may take the form of data stored on a disk 
or in RAM memory, or the form of signals on network 
communication lines. Some embodiments will include all 
signal elements discussed above, while others omit and/or 
supplement those elements. However, the distinctive fea- 

10 tures of the invention, as set forth in the appended claims, 
will be apparent in each embodiment to those of skill in the 
art. 

During a step 124, a secure connection is formed between 
the border server 106 and the external client 112. This 

15 connection may be, for instance, an SSL connection formed 
in response to use of "https" as a protocol indicator in a 
request from the client 112 to the border server 106. For 
convenience, reference is made primarily to connections 
with a user of the external client 112. However, as noted 

20 earlier the client 112 may itself be a server or another node 
in a communications path between a user who is located at 
another machine 114 and who is seeking access to target 
server 104 data. 

As indicated in FIG. 2, in some cases the external client 

25 112 may contact the border server 106 directly so that no 
redirection is needed. That is, the initial request for access to 
the target server 104 may be directed to the border server 
106 to save time. Moreover, the initial request may be 
combined with a request for a secure connection as dis- 

30 cussed with reference to step 124. 

Alternatively, the secure connection may be formed dur- 
ing step 124 before a specific request is made to the target 
server 104 despite the fact that step 200 is shown above step 
124 in FIG. 2. More generally, steps according to the present 

35 invention may be performed in a variety of orders and the 
execution of steps may overlap when the result of one step 
is not required by another step. Steps may also be omitted, 
renamed, repeated, or grouped differently than shown, pro- 
vided they accomplish the claimed process. 

40 During a step 126, the user is authenticated to the secure 
network 100. This generally involves transmitting user 
authentication information over the secure connection from 
the client 112 to the border server 106, verifying the infor- 
mation within the secure network 100, and notifying the user 

45 that the authentication information has been accepted as 
valid. This may be accomplished in various ways. 

For instance, some embodiments use an HTML page with 
scripts, or a Java applet, to present the user with a login 
screen. The user enters a user name and a corresponding 

50 password in fields shown on the login screen. The useraame 
and password are then transmitted over the secure connec- 
tion to the border server 106, which passes them in turn to 
an authentication system within the secure network 100. If 
the useraame and password are validated by the authenti- 

55 cation system, the border server 106 so notifies the user, and 
the user is then granted access to secure network 100 data as 
described herein (subject to permissions and the like). 

In one embodiment which utilizes Novell NDS software 
140, the username and user password presented by the user 

60 are that user's regular NDS name and password, which the 
user would typically present when logging into the secure 
network 100 from an internal client. The user need not 
manage a separate username and/or password in order to 
login from an external client. The login screen presented to 

65 the user may also include contextual information, such as the 
user's context within an NDS tree. The border server 106 
presents the NDS username and password to the familiar 
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NDS user authentication system, and looks to that authen- Java, Pascal, C++, C, Perl, shell scripts, assembly, firmware, 

tication system for rejection or validation of the authentica- microcode, logic arrays, PALs, ASICs, PROMS, and/or 

tion information. Instead of using a Novell Directory Ser- other languages, circuits, or tools as deemed appropriate by 

vices database 140, or in addition to that database, the user those of skill in the art. 

authentication system may include a Microsoft Windows NT 5 During an optional caching step 206, the secure data 134 

Domain directory 140. An embodiment of the invention may be cached, using caching tools and techniques familiar 

which does not utilize NDS software may also authenticate in the art. Either, both, or neither of the caching steps 202, 

a user to all servers in the secure network 100 after recog- 206 may be present in a given embodiment. That is, the 

nizing a single user name and a single corresponding user border server 106 may include zero, one, or two caches 110. 

password. io For instance, the non-secure data 130 may be stored in 

During a step 128, non-secure data 130 is transmitted one cache 110 while the secure data 134 is stored in another 
from the target server 104 to the border server 106, where it cache 110, Secure data 134 is transmitted during a step 132 
will be modified to promote continued security and then to external clients 112 from the secure cache 110, while 
forwarded to the external client 112 during a transmitting non-secure data 130 is provided to internal clients from the 
step 132. In one embodiment, the transmitting step 128 15 non-secure cache 110. This split cache configuration pro- 
includes a preliminary act and one or more subsequent vides the benefits of caching both to external clients and to 
repeated acts, as follows. internal clients, and it does not impose URL transformation 

The preliminary act within the transmitting step 128 is to processing costs on internal clients that only access non- 
direct (or redirect) the external client 112 to the target server secure data 130. 

104, and to promote use of a secure connection in so doing 20 Another configuration stores data requested by external 

by making a secure connection the default. This may be done clients in one cache 110 regardless of whether the data has 

by using the HTTP redirection capability in combination also been requested by internal clients, and stores data 

with substitution of "https" for "http" in the URL which requested only by internal clients in another cache 110. The 

identifies the target server 104 data sought by the external data requested by external clients is stored in its non-secure 

client 112. In the example above, the original request from 25 form and its URLs are transformed to create secure data 134 

the external client 112 was for data at "http:// only as needed before putting data on the wire to an external 

www.Novell.com" so the redirection back to the target client. The data sent to internal clients may include a mixture 

server 104 (after the user is authenticated to the secure of non-secure data 130 and secure data 134; during step 132 

network 100 during step 126) would seek data at "https:// only secure data 134 is sent to external clients. 

www.Novell.co m" with directory and path names appended 30 Alternatively, all data sent to internal and/or external 

as in the original request. clients may be stored in a single cache 110, with URL 

The possibly repeated acts within the transmitting step transformation again being performed on-the-fly as needed 

128 involve sending one or more Web pages, files, or other when cached data is to be sent to an external client during 

pieces of non-secure data 130 from the target server 104 to step 132. Of course, caching may also be simply omitted in 

the border server 106. The data 130 is non-secure in that it 35 some embodiments. 

includes hypertext links, URLs, or other references which, if As discussed above, the invention may operate by sending 

presented by the external client 112 to the secure network non-secure data 130 from the target server 104 to the border 

100, would not necessarily require use of a secure connec- server 106, where the data is transformed by the URL 

tion such as an SSL connection and which might allow transformer 108 and then transmitted as secure data 134 to 

non-secure access to protected network 100 data. For 40 the external client 112. Several variations on this approach 

instance, Web pages which contain URLs specifying are also possible according to the invention. Some involve 

"http;//" rather than "https ://" in reference to data stored on caching alternative discussed above. Other variations alter 

the target server 104 are examples of non-secure data 130. the location or function of the URL transformer 108 and/or 

During an optional caching step 202, the non-secure data involve tunneling. 

130 may be cached in a cache 110 at the border server 106 . 45 For example, after the user is authenticated during step 

Caching tools and techniques familiar in the art may be used; 126 the border server 106 may function merely as a node on 

caching is discussed further below. a path which carries secure data 134 from the target server 

During a transforming step 204, the non-secure data 130 104 to the external client 112. This configuration may be 

is transformed into secure data 134 by an URL transformer appropriate if the target server 104 only holds secure data 

108 which replaces non-secure URLs with corresponding 50 134. Even if the URL transformer 108 rarely or never 

secure URLs. For instance, the URL transformer 108 may modifies any URLs in practice, it may still be capable of 

employ familiar string search-and-replace algorithms to performing such modifications in case its filtering function 

replace each instance of the string "http" which is tagged in does find any non-secure URLs. In addition, or as an 

HTML data 130 as an URL protocol indicator by the string alternative, the URL transformer 108 may notify an admin- 

"https". As noted, similar steps may be taken with FTP and 55 istrator if non-secure URLs are found, 

other protocol indicators. It may also be appropriate for the border server 106 to 

Care should be taken to avoid replacing string instances function merely as a data carrier node if an URL transformer 

which are not being used within an URL as a protocol 108 is part of the target server 104 instead of (or in addition 

indicator. For example, instances of the string "http" in the to) being part of the border server 106. The target server 104 

text of this patent application would not be replaced, nor 60 can then transform any non-secure data 130 into secure data 

would instances which are being used as part of a directory 134 before forwarding that data 134 to the border server 106 

path or a filename rather than a protocol indicator, because for subsequent transmission to the external client 112. For 

such replacements would not promote continued use of example, in one embodiment a transmitting step 136 sends 

secure sockets layer communication. secure data in tunneling packets 138 to the border server 

Like other elements of the present invention, the trans- 65 106, which then forwards the data 138 to the external client 

former 108 may be implemented using the teachings pre- 112 during a step 132. Familiar tunneling tools and tech- 

sented here with programming languages and tools such as niques may be used during step 136 to transmit data which 
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has been made secure through URL transformation accord- The border server 106 also includes standard network and 
ing to the invention. operating system software 314. Suitable networking soft- 
Additional Information ware 314 includes Novell NetWare software, various TCP/IP 
FIGS. 3 and 4 further illustrate the invention. FIG. 3 implementations, Ethernet software, and other commercially 
shows a configuration containing two target servers 300, 5 available networking software. Suitable operating system 
302, illustrating the fact that some embodiments of the software 314 includes UNIX, Linux, and UNIX variations, 
invention involve two (or more) target servers 104. Thus, Microsoft Windows, and other commercially available oper- 
confidential data 304 to which an external client 112 seeks ating system software. 

access may be stored in the secure network 100 on one or The client 112 likewise includes networking and operat- 

more target servers 104. The protected data 304 may be a 10 ing system software 320. Suitable software 320 includes 

mix of secure (e.g., containing "https" only) data and commercially available software such as that previously 

non-secure (e.g. at least one instance of "http" referring to mentioned. It is not necessary for the client 112 and the 

data within the secure network 100) data. border server 106 to be running the same operating system 

In FIG. 3 the URL transformer 108 is located in the border and/or the same networking software, so long as a secure 

server 106. By contrast, FIG. 4 shows a configuration in 15 connection can be formed. For instance, the border server 

which the URL transformer 108 is part of the target server 106 might use UNIX software while the client 112 runs 

104. Accordingly, the configuration of FIG. 3 assumes that Windows 2000 software, with each using their respective 

non-secure confidential data 304 is sent from the target SSL software to provide the necessary secure connection, 

server 104 to the border server 106, transformed at the The client 112 includes an application program or some 

border server 106 by the URL transformer 108, and then 20 other piece of requesting software 322 which makes the 

provided to the external client 112. By contrast, the con- access request during step 120. Requests may be prompted 

figuration of FIG. 4 assumes that non-secure confidential by human users and/or by system tasks or threads. The 

data 304 is transformed into secure data by the URL software 322 which seeks access to confidential data 304 

transformer 108 at the target server 104, after which the from outside the security perimeter 102 will often be a Web 

modified data is sent either directly to the external client 112 25 browser. However, the present invention also provides 

(bypassing the border server 106) or indirectly to that client secure access to other types of requesting software, includ- 

112 by way of the border server 106. Indirect transmission ing without limitation: indexing programs, search programs, 

of secure data from the target server 104 through the border database -building tools, archival tools, administrative tools, 

server 106 to the external client 112 could utilize, for collaborative writing tools, multimedia conferencing 

instance, familiar tunneling tools and techniques. 30 software, and lower-level software such as file system 

For purposes of illustration, FIG. 3 shows both a non- software, operating system software, and/or networking 

secure data cache 306 and a secure data cache 308 as part of software. 

the border server 106. As discussed above, however, the The client 112 also contains user authentication informa- 

border server 106 may also be configured according to the tion 324. As noted above, the authentication information 324 

invention with only one of these two caches 306, 308, or 35 which is used to authenticate the user and/or client to the 

with a combined cache 110 containing both secure and network 100 during step 126 will often include a user name 

non-secure data, or with no cache 110. Those of skill in the and a corresponding user password. These are preferably the 

art will also appreciate that the target server 104 may also same name and password used by the authorized user to log 

include zero or more caches 110. into an internal client of the secure network 100. In place of, 

The border server 106 includes secure sockets layer 40 or in addition to a user name and password, the authentica- 

software 310, and the external client 112 includes corre- tion information may include certificates, tokens, public 

sponding secure sockets layer software 318. As noted above, keys, and/or data from authentication tools such as biometric 

any commercially available software which provides a scans, voice prints, retinal scans, fingerprint scans, magnetic 

secure connection through encryption at the sockets level card reader results, and so on. A wide variety of suitable 

can be used to form the secure connection provided by the 45 authentication information is familiar to those of skill in the 

software 310, 318. Suitable software 310, 318 thus includes art. 

the SSL software provided commercially by Netscape Cor- The configuration shown in FIG. 4 has much in common 
poration and other vendors. with the configuration shown in FIG. 3, at least with respect 
The border server 106 also includes management software to many of the individual components. For instance, the 
312. In various embodiments, the management software 312 50 comments made above regarding the confidential data 304, 
provides some or all of the following functionality to permit the caches 110, the URL transformer 108, the secure sockets 
system operation as discussed herein: handling requests layer software 310, 318, the network and operating system 
which are redirected during step 122 and subsequently software 314, 320, the requesting software 322, the network 
redirecting the external user back to that target server 104 user authentication system 316, and the user authentication 
after step 124 forms a secure connection and step 126 55 information 324 apply to both Figures, 
authenticates the user; invoking the URL transformer 108 as However, the functionality of the management software 
necessary to prevent non-secure data from being transmitted 312 on the border server 106 may be divided in the con- 
to an external client 112; managing the caches 110; inter- figuration of FIG. 4 between management and tunneling 
facing with a network user authentication system 316 such software 400 in the target server 104 and management and 
as the NDS authentication system; logging user and/or 60 tunneling software 402 in the border server 106. The man- 
system activity; alerting administrators to possible problems agement software 312 functionality may also be supple- 
such as multiple failed authentication attempts, failed secure mented by tunneling functionality. Suitable tunneling func- * 
connection attempts and/or lack of resources such as tion ality is available through the literature and commercially 
memory or disk space; and managing information such as available tunneling implementations, 
the IP address and/or session identifier used by a given 65 The software 400 may also include the redirector for 
external client 112 to make certain that secure data is redirecting to the border server 106 the request made by the 
transmitted only to the authenticated user. client 112 for direct access to the target server 104. This 
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allows user authentication during step 126 to be performed 
by the border server 106 while URL transformation and data 
transmission are performed by the target server 104 and/or 
by the target server 104 in combination with the border 
server 106. 5 
Summary 

The present invention uses novel URL transformations 
and/or more familiar mechanisms such as HTTP redirection 
and SSL software to provide secure authentication of a user 
from an external client and to then provide secure transmis- 10 
sion of confidential data between the target server and the 
external client. By transforming non-secure URLs into 
secure URLs, the invention forces continued use of secure 
communications despite the inherent security problems of 
• HTTP. These problems arise from the fact that HTTP does 15 
not normally "remember" security requirements from one 
Web page transmission to the next. The present invention 
forces use of a secure connection each time the user follows 
an URL to confidential data. Moreover, the invention pro- 
vides this security without requiring any additional distri- 20 
bution or installation of client software onto the external 
client(s) beyond that which is already widely used. 

Although particular methods and signal formats embody- 
ing the present invention are expressly described herein, it 
will be appreciated that system and storage media embodi- 25 
ments may also be formed according to the signals and 
methods of the present invention. Unless otherwise 
expressly indicted, the description herein of methods and 
signals of the present invention therefore extends to corre- 
sponding systems and storage media, and the description of 30 
systems and storage media of the present invention extends 
likewise to corresponding methods and signals. 

As used herein, terms such as "a" and "the" and item 
designations such as "URL" are inclusive of one or more of 
the indicated item. In particular, in the claims a reference to 35 
an item means at least one such item is required. When 
exactly one item is intended, this document will state that 
requirement expressly. 

The invention may be embodied in other specific forms 
without departing from its essential characteristics. The 40 
described embodiments are to be considered in all respects 
only as illustrative and not restrictive. Headings are for 
convenience only. The scope of the invention is, therefore, 
indicated by the appended claims rather than by the fore- 
going description. All changes which come within the mean- 45 
ing and range of equivalency of the claims are to be 
embraced within their scope. 

What is claimed and desired to be secured by patent is: 

1. A distributed computing system allowing secure exter- 
nal access to a secure network, the system comprising: so 

a target server within the secure network; 

a border server within the secure network, the border 
server connectable to the target server by a first com- 
munications link; 

. 55 
a client outside the secure network, the client connectable 

to the border server by a second communications link, 

the client and the border server configured to support 

secure sockets layer communication over the second 

communications link; <n 

60 

a user authentication system located at least partially 
within the secure network, the secure network config- 
ured to allow direct access to the target server by a user 
only after the user is authenticated by the user authen- 
tication system; and 65 

a uniform resource locator transformer which modifies 
non-secure uniform resource locators in data being sent 
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from the target server to the client by replacing them 
with corresponding secure uniform resource locators to 
promote continued use of secure sockets layer commu- 
nication. 

2. The system of claim 1, wherein the uniform resource 
locator transformer is located on the border server. 

3. The system of claim 1, wherein the uniform resource 
locator transformer is located on the target server and the 
system further comprises tunneling software for tunneling 
between the client and the target server through the border 
server. 

4. The system of claim 1, wherein the secure network is 
configured to allow direct access to the target server from 
network addresses within the secure network while denying 
direct access to the target server from network addresses 
outside the secure network. 

5. The system of claim 1, wherein the secure network 
includes a secured intranet. 

6. The system of claim 1, wherein the client is a multi-user 
client. 

7. The system of claim 6, wherein at least two user 
workstations are connected to the client. 

8. The system of claim 1, wherein the user authentication 
system includes a directory services database. 

9. The system of claim 1, wherein the user authentication 
system includes a domain directory. 

10. The system of claim 1, wherein the user authentication 
system authenticates the user to all servers in the secure 
network after recognizing a single user name and a single 
corresponding user password, 

11. The system of claim 1, further comprising a redirector 
for redirecting to the border server a request made by the 
client for direct access to the target server. 

12. The system of claim 1, wherein the border server 
includes at least one cache. 

13. The system of claim 12, wherein the border server 
cache includes data from the target server which contains 
non-secure uniform resource locators, and the uniform 
resource locator transformer introduces secure uniform 
resource locators on the fly without requiring that the 
transformed data also be cached on the border server. 

14. The system of claim 12, wherein the border server 
cache includes a non -secure data cache for internal clients 
and a secure data cache for external clients, the non-secure 
data cache holding data that contains non-secure uniform 
resource locators, and the secure data cache holding data that 
does not contain non-secure uniform resource locators. 

15. The system of claim 12, wherein the border server 
cache is free of data that contains non-secure uniform 
resource locators. 

16. A method for providing access to a secure network, the 
method comprising the steps of: 

receiving a request for access to a target server which is 
within the secure network, the access request having 
been made by a user outside the secure network; 

forming a secure sockets layer connection between the 
user and a border server which is within the secure 
network; 

using the secure sockets layer connection and a user 
authentication system of the secure network to authen- 
ticate the user to the secure network; 

modifying data by replacing non-secure uniform resource 
locators in the data with corresponding secure uniform 
resource locators which promote continued use of 
secure sockets layer communication; and 

transmitting the modified data to the user over a secure 
sockets layer connection. 
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17. The method of claim 16, wherein the modifying step forming a secure connection between the user and the 
is preceded by the step of transmitting the data to be border server, the secure connection utilizing at least a 
modified from the target server to the border server in transport layer protocol and lower level protocols, 
response to the access request, and the modifying step is security in the connection being provided at least by 
performed at the border server. 5 encryption performed above the transport layer proto- 

18. The method of claim 17, further comprising the step c0 ^ 

of caching data on the border server. "sing the secure connection and a user authentication 

19. The method of claim 16, wherein the modifying step s y stem of ^ secu £ e network t0 authenticate the user to 
is performed at the target server, and the transmitting step ^ secure network; 

transmits the modified data to the user over a secure sockets 10 modifying data by replacing non-secure uniform resource 

layer connection which tunnels through the border server. locators «} * e data with corresponding secure uniform 

20. The method of claim 16, wherein the receiving step resource locators , whlch P romote continued use of 
includes receiving the access request at the target server and secure communicaUon; and 

the method further comprises the step of redirecting the transmitting the modified data to the user over a secure 

request to the border server before the forming step. 15 ., c 2? nectl0 ?' , , f . ■ + e u 

>m on, ~iU~A n e , • ! , , , _ f . L, m f„„ 26. The configured storage medium of claim 25, wherein 

21 The method of claim 16, wherein the forming step ^ fQ step * includes s f oring m IP address and a session 

includes storing an IP address which indicates the current Writer ^ collectivcl indicate the current ]ocation of 

location of the user, and the step of transmitting the modified the ^ and lhe step of traQSmitting me modified data to the 

data to the user transmits the data only to that same IP uscr ^vsmits thc data only to that same IP address and 

address - 20 session. 

22. The method of claim 16, wherein the forming step 2? The configured storage mcdium of claim 25 , wherein 

forms an SSL connection. . . the using step includes obtaining from the user a user name 

23. Thc method of claim 16, wherein the using step and password for nctW ork-wide authentication, 
includes obtaining from the user a user name and a user 2g ^ storage medium of claim 25 , wherein 

paSSW ^' ...... • , * j 25 the modifying step is preceded by the step of transmitting the 

24. The method of claim 16, wherein the step of modi- dala tQ be modified from the target {Q the border 

fying the data includes replacing the string "http" with the seryer m response t0 the access reques t, and me modifying 

string "https" in at least one uniform resource locator. step k performed at me border server 

25. A computer storage medium having a configuration 29 The configured storage medium of cIaim 28 , wherein 
that represents data and instructions which will cause per- 30 ^ method comprises the step of caching data on the 
formance of method steps for providing access to a secure border server 

network, the method comprising the steps of: 30 The configured storagc me dium of claim 25, wherein 

receiving at a target server which is within the secure the modifying step is performed at the target server, and the 

network a request for access to the target server, the transmitting step transmits the modified data to the user over 

access request having been made by a user outside the 35 a secure sockets layer connection which tunnels through the 

secure network; border server, 
redirecting the request to a border server which is within 

the secure network; * * * * * 
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